Cover Story: Get ready, SET, wait

Secure Electronic Transaction (SET) protocol was developed to give both customers and merchants an ironclad guarantee of identity and authenticity of online transactions. You would think everyone would come to the party, given online security concerns.

But the protocol has suffered setbacks stemming from lack of support and funding from the very community its success hinges on -- the banks. In Australia, three out of the "Big Four" don't want to touch it until there is more demand from consumers.

On the other side of the equation, the merchants say that mass demand won't happen unless there is support from the banks.

It looks like SET is crying out for a critical mass. Natasha David discovers who is putting their money where their mouths are.

Aren't standards strange phenomena? Everyone, it seems, wants interoperability, but few are willing to wait for it. It seems there is a fine line between the perfect technical solution and one that will "make do".

Secure Electronic Transactions (SET), the e-commerce payment standard-in-waiting, is facing a tough road ahead if you believe industry observers. Launched in a blaze of publicity in 1996, SET has since become the bridesmaid to Secure Sockets Layer (SSL).

One key success factor is support from banking institutions.

"Gartner Group predicted two years ago that if SET did not get a lot more funding and backing from the banking community, it would not fly," said Joe Sweeney, Gartner Group analyst.

"It never got that backing."

"SET has been under-funded, and proven to be slow and difficult to roll out, to the point where most are saying that the sun is setting on SET," he said.

According to promoters of SET, Visa International and MasterCard International, some 23 banks throughout the Asia-Pacific region have implemented SET, although no names have been dropped yet.

"SET has been least successful in Australia as far as the Asia-Pacific region is concerned," said Stephen Draper, director electronic commerce for MasterCard.

"Three of the four major banks have built SET systems that have remained dormant, apart from ANZ. The banks more willing to take it on are in the Asia Pacific region, particularly Hong Kong, Korea and Japan," he said.

At this stage, ANZ is the only major bank willing to take the plunge. Westpac is not planning SET capability until late next calendar year.

"We are not seeing a demand at the cardholder or merchant end of the equation," said Jonathon Poole, head of internet services at Westpac.

At the National Australia Bank, things look even grimmer for SET.

"We think SET's principles are first class, but it needs a critical mass," said Haydn Park, group manager media relations at NAB.

"We are waiting for the second version of SET to come out. The verification time for the merchant is too slow at the moment," he said. For the Commonwealth Bank, SET is "not an option", according to Stephen Coulter, CBA's general manager of eComms.

"We're looking at a range of payment solutions," said Coulter. "Our primary criteria are the three Ss: secure, simple and seamless to use."

One challenge for SET to overcome is the perception that its user interface is complex. And merchants and banks alike are keeping the consumers' best interests at heart.

As a SET cardholder, you would need to purchase a SET wallet and install it on your PC. Then you would need to get a digital certificate and work out how to use that.

There is a concern from both banks and merchants that if the consumer encounters difficulties at any stage, he or she may abandon the process.

"The process of downloading digital certificates in most user interfaces is relatively complex," Poole said. "Westpac found that it wasn't a friendly or a trust-building experience."

"Our approach centres on business requirements at the end-user and merchant's side, and SET implementation is too complex," Poole said.

However, there are solutions in the pipeline to address these usability concerns. "Vendors of SET-enabled toolkits are developing new solutions that don't require the cardholder to do these things," Draper said.

"These new products allow the banks to host the infrastructure, which both the user and merchant access from the outside world," he said.

"This will allow banks to deliver much better customer service for online payment systems." Server wallets are also currently in development, according to Greg Storey, head of VisaNet Australia & New Zealand.

"Vendors like CDT (Creative Digital Technology) and Chem Tech are establishing SET capabilities for server wallets," he said. "Most browsers already have a SET wallet capability that can be switched on."

"SET has been useful in raising the awareness of general security issues and some techniques available to address them," he said.

And on the merchant side, the echo remains -- demand for user-friendliness and manageability.

Bookseller Dymocks is likely to migrate to SET, "when it becomes more manageable", said Julian Bish, IT manager, Dymocks. "Though we are very reluctant to put hurdles up for customers on the Web.

"If the average person is like me, it's all too hard to remember passwords. If that means Dymocks accepts a small element of risk, so be it," Bish said.

Currently, cardholders don't use passwords or PINs to identify themselves on Dymocks' site.

"Maybe we're just lucky, but we have found that we've had very few charge-backs," Bish said. "We have procedures on the fulfilment side to guard against credit card fraud."

However, one merchant that is not impressed with SET is Travel.com.

"SET is too complicated for the consumer," said Dave Upton, CIO of Travel.com. "To make the sale, customers want to whack their credit card on the site and be gone."

"People will book things if it is easy. Every time you have to fill in a three-page form, the drop-off rate is enormous," he said.

Doug Jenkins, IT security consultant at Shell Services International, believes that the difficulty lies not in implementing the protocol, but the management of a digital certificate solution and ensuring there is worldwide acceptance of the protocol.

"Robust technical solutions are all very well, but it is just as important to implement something you know will be used at the other end of the pipe," Jenkins said. "Beta was a technically superior solution to VHS, and yet VHS owns the market," Jenkins said. "Why was that? The vendors convinced the market that there was going to be universal support for VHS."

Why fix something that ain't broke?

Secure Sockets Layer (SSL) is currently the most popular protocol in US e-businesses for online credit card payments. SSL provides point-to-point channel encryption, but in no way validates people on either end.

However, others see the implementation of SET as giving them a competitive advantage in the marketplace over those using SSL.

"There are many sites that claim to be e-commerce sites, but only a handful are doing it well," said Steven Spilly, managing director of E-Store, a Sydney-based online retailer of computers.

"SET will be another key differentiator, lifting the credibility of an e-business above those who are just trying to make a quick buck."The credible players in the market will rapidly embrace SET," Spilly said.

He said he also sees an opportunity to lift processing efficiency of his business. Manual checks are currently needed on accounts that have certain triggers, such as hotmail accounts or post box addresses, which slows things down.

"We don't store credit card numbers to guard against the threat of hackers," Spilly said. "We currently face a restriction in efficiency as it takes longer to refund a customer because the processing must be done manually."

It's horses for courses, according to VisaNet's Storey. "If you think authentication is not necessary, SSL is adequate," he said. "However, if authentication is necessary, there is nothing better on offer than SET.

"We made a lot of noise about SET when we first established the standard," Storey said.

"We have since learnt that the migration from SSL to SET is going to take longer than we anticipated because SSL has taken off as a de facto standard," he said.

A final bone of contention for both merchants and banks alike is the cost of implementation.

"SET is quite costly to set up at the moment," said Paul Williams, marketing communications manager for Cellarmaster Wines.

"There is also never a lot to be gained by being at the leading edge of technology when you are dealing with a mass market," he said.

"SET is more expensive to implement initially, because it is new technology," agreed MasterCard's Draper.

However, according to Storey, "three of the major four banks have SET capability. The marginal cost of activating SET is not as high as some believe."

At the end of the day, security simply doesn't get many consumers' pulses racing anymore, apart from those in Australia, according to one Gartner analyst.

Joe Sweeney said: "Over 60 per cent of consumers in Asia had no problems putting their credit card online, according to a survey I conducted five years ago with Asia Online. Most Australians seem to be more security conscious than their neighbours."

Although he found no apparent reason for our online jitters, Sweeney believes that outside Australia SET seems to be overkill.

"SET provides a high level of authentication and is the most robust on the market," he said. "However, globally, especially in the Asia-Pacific region, users don't care about authentication."

"SET will probably go merchant-to-bank, rather than merchant to bank to user," Sweeney said. "Its vision may reduce, but that may be its salvation."

Upton, from Travel.com, agrees that security has become less of an issue with customers.

"In some instances, people are saying it is more dangerous to give your credit card to a waiter who can make an imprint than give your credit card number online," he said.

E-Store's Spilly agreed. "At the end of the day, the consumer carries no risk. The merchant shoulders the liability. Customers are more concerned with the accountability of an online merchant," he said.

"It is very easy to put a Web site up, which can be taken down the next day," Spilly said.

Despite these opinions, Storey believes that the market will accept SET over time.

"SET is currently the only recognised way of making authentication possible on a global basis," he said.

"No competing solution has emerged since the outset of SET's development."

"We may be guilty of hyping up the subject a little, but that does not detract from the notion that authentication is needed," Storey said.

The consumer must register their specific card with their issuing bank, which then issues the consumer with the digital certificate to use in place of the credit card number.

In Australia, only ANZ Bank has signalled its intention to issue its ANZ VisaCard holders with SET-compliant digital certificates. Digital certificates, part of Public Key Infrastructure (PKI), are used as the basis of SET's security.

SET also uses encryption. Two algorithms are used, symmetric and asymmetric, better known as public key algorithms.

ANZ then issues the consumer with a Compaq's GlobeSet digital wallet. The customers of ANZ must set up their PC with a GlobeSet wallet that sits behind their browser.

In a move to make the solution more transparent for the consumer, thus making payment transactions easier, this wallet should reside on the bank's server (server wallet).

When the consumer accesses a Web site that offers a SET payment option, the consumer is able to verify their identity and download the merchant's certificate to their wallet.

At the merchant end of the transaction, Creative Digital Technology (CDT), a vendor of e-commerce toolkits for merchants, has intertwined the GlobeSet product with its payment server.

When a consumer accesses "SET payment" on the merchant's Web site, this triggers a function in CDT's SET-compliant product, which triggers the opening of the consumer's wallet in their browser.

After the consumer selects which card in the wallet he or she wishes to use, those credentials are shared through the SET process for verification as well as the merchant's certificate, which is housed inside CDT's payment server.

Taronga Zoo secures e-comm

Pssst . . . wanna buy a koala?

The honour of being the first in Australia to use the SET Secure Electronic Transaction standard goes to The Zoological Parks Board (ZPB) of NSW. Taronga Zoo in Sydney recently demonstrated its ability to securely process commercial online credit card purchases.

"Taronga and Western Plains Zoo (in Dubbo, north-west of Sydney) have been pioneers in developing e-commerce," said Guy Cooper, director and CEO of ZPB NSW.

"The ZPB believes that SET will provide customers with a secure and safe method of electronic payment through the internet for our products, including sponsorship, souvenirs and ticket sales." The zoo used a suite of SET-certified products developed by Creative Digital Technology (CDT) and supported by ANZ. Still on trial, the Web site allows ANZ Visa credit card holders to make payments using the SET standard at Taronga and Western Plains Zoos.

Copyright 2017 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.